def remove_ipa_ca_cnames(self, domain_name):
# get ipa-ca CNAMEs
try:
cnames = get_rr(domain_name, IPA_CA_RECORD, "CNAME", api=self.api)
except errors.NotFound:
# zone does not exists
cnames = None
if not cnames:
return
logger.info('Removing IPA CA CNAME records')
# create CNAME to FQDN mapping
cname_fqdn = {}
for cname in cnames:
if cname.endswith('.'):
fqdn = cname[:-1]
else:
fqdn = '%s.%s' % (cname, domain_name)
cname_fqdn[cname] = fqdn
# get FQDNs of all IPA masters
try:
masters = set(get_masters(self.api.Backend.ldap2))
except errors.NotFound:
masters = set()
# check if all CNAMEs point to IPA masters
for cname in cnames:
fqdn = cname_fqdn[cname]
if fqdn not in masters:
logger.warning(
"Cannot remove IPA CA CNAME please remove them manually "
"if necessary")
return
# delete all CNAMEs
for cname in cnames:
del_rr(domain_name, IPA_CA_RECORD, "CNAME", cname, api=self.api)
def remove_ipa_ca_cnames(self, domain_name):
# get ipa-ca CNAMEs
try:
cnames = get_rr(domain_name, IPA_CA_RECORD, "CNAME", api=self.api)
except errors.NotFound:
# zone does not exists
cnames = None
if not cnames:
return
logger.info('Removing IPA CA CNAME records')
# create CNAME to FQDN mapping
cname_fqdn = {}
for cname in cnames:
if cname.endswith('.'):
fqdn = cname[:-1]
else:
fqdn = '%s.%s' % (cname, domain_name)
cname_fqdn[cname] = fqdn
# get FQDNs of all IPA masters
try:
masters = set(get_masters(self.api.Backend.ldap2))
except errors.NotFound:
masters = set()
# check if all CNAMEs point to IPA masters
for cname in cnames:
fqdn = cname_fqdn[cname]
if fqdn not in masters:
logger.warning(
"Cannot remove IPA CA CNAME please remove them manually "
"if necessary")
return
# delete all CNAMEs
for cname in cnames:
del_rr(domain_name, IPA_CA_RECORD, "CNAME", cname, api=self.api)
def disable_agreements(self):
'''
Find all replication agreements on all masters and disable them.
Warn very loudly about any agreements/masters we cannot contact.
'''
try:
conn = self.get_connection()
except Exception as e:
logger.error('Unable to get connection, skipping disabling '
'agreements: %s', e)
return
masters = get_masters(conn)
for master in masters:
if master == api.env.host:
continue
try:
repl = ReplicationManager(api.env.realm, master,
self.dirman_password)
except Exception as e:
logger.critical("Unable to disable agreement on %s: %s",
master, e)
continue
master_dn = DN(('cn', master), api.env.container_masters,
api.env.basedn)
try:
services = repl.conn.get_entries(master_dn,
repl.conn.SCOPE_ONELEVEL)
except errors.NotFound:
continue
services_cns = [s.single_value['cn'] for s in services]
host_entries = repl.find_ipa_replication_agreements()
hosts = [rep.single_value.get('nsds5replicahost')
for rep in host_entries]
for host in hosts:
logger.info('Disabling replication agreement on %s to %s',
master, host)
repl.disable_agreement(host)
if 'CA' in services_cns:
try:
repl = get_cs_replication_manager(api.env.realm, master,
self.dirman_password)
except Exception as e:
logger.critical("Unable to disable agreement on %s: %s",
master, e)
continue
host_entries = repl.find_ipa_replication_agreements()
hosts = [rep.single_value.get('nsds5replicahost')
for rep in host_entries]
for host in hosts:
logger.info('Disabling CA replication agreement on %s to '
'%s', master, host)
repl.hostnames = [master, host]
repl.disable_agreement(host)
def disable_agreements(self):
'''
Find all replication agreements on all masters and disable them.
Warn very loudly about any agreements/masters we cannot contact.
'''
try:
conn = self.get_connection()
except Exception as e:
logger.error('Unable to get connection, skipping disabling '
'agreements: %s', e)
return
masters = get_masters(conn)
for master in masters:
if master == api.env.host:
continue
try:
repl = ReplicationManager(api.env.realm, master,
self.dirman_password)
except Exception as e:
logger.critical("Unable to disable agreement on %s: %s",
master, e)
continue
master_dn = DN(('cn', master), api.env.container_masters,
api.env.basedn)
try:
services = repl.conn.get_entries(master_dn,
repl.conn.SCOPE_ONELEVEL)
except errors.NotFound:
continue
services_cns = [s.single_value['cn'] for s in services]
host_entries = repl.find_ipa_replication_agreements()
hosts = [rep.single_value.get('nsds5replicahost')
for rep in host_entries]
for host in hosts:
logger.info('Disabling replication agreement on %s to %s',
master, host)
repl.disable_agreement(host)
if 'CA' in services_cns:
try:
repl = get_cs_replication_manager(api.env.realm, master,
self.dirman_password)
except Exception as e:
logger.critical("Unable to disable agreement on %s: %s",
master, e)
continue
host_entries = repl.find_ipa_replication_agreements()
hosts = [rep.single_value.get('nsds5replicahost')
for rep in host_entries]
for host in hosts:
logger.info('Disabling CA replication agreement on %s to '
'%s', master, host)
repl.hostnames = [master, host]
repl.disable_agreement(host)
def execute(self, *keys, **options):
ldap = self.obj.backend
dn = self.api.Object.user.get_either_dn(*keys, **options)
attr_list = [
'krbloginfailedcount', 'krblastsuccessfulauth',
'krblastfailedauth', 'nsaccountlock'
]
disabled = False
masters = get_masters(ldap)
entries = []
count = 0
for host in masters:
if host == api.env.host:
other_ldap = self.obj.backend
else:
try:
other_ldap = LDAPClient(ldap_uri='ldap://%s' % host)
other_ldap.gssapi_bind()
except Exception as e:
logger.error(
"user_status: Connecting to %s failed with "
"%s", host, str(e))
newresult = {'dn': dn}
newresult['server'] = _("%(host)s failed: %(error)s"
) % dict(host=host, error=str(e))
entries.append(newresult)
count += 1
continue
try:
entry = other_ldap.get_entry(dn, attr_list)
newresult = {'dn': dn}
for attr in ['krblastsuccessfulauth', 'krblastfailedauth']:
newresult[attr] = entry.get(attr, [u'N/A'])
newresult['krbloginfailedcount'] = entry.get(
'krbloginfailedcount', u'0')
if not options.get('raw', False):
for attr in ['krblastsuccessfulauth', 'krblastfailedauth']:
try:
if newresult[attr][0] == u'N/A':
continue
newtime = time.strptime(newresult[attr][0],
'%Y%m%d%H%M%SZ')
newresult[attr][0] = unicode(
time.strftime('%Y-%m-%dT%H:%M:%SZ', newtime))
except Exception as e:
logger.debug("time conversion failed with %s",
str(e))
newresult['server'] = host
if options.get('raw', False):
time_format = '%Y%m%d%H%M%SZ'
else:
time_format = '%Y-%m-%dT%H:%M:%SZ'
newresult['now'] = unicode(strftime(time_format, gmtime()))
convert_nsaccountlock(entry)
if 'nsaccountlock' in entry:
disabled = entry['nsaccountlock']
self.api.Object.user.get_preserved_attribute(entry, options)
entries.append(newresult)
count += 1
except errors.NotFound:
raise self.api.Object.user.handle_not_found(*keys)
except Exception as e:
logger.error(
"user_status: Retrieving status for %s failed "
"with %s", dn, str(e))
newresult = {'dn': dn}
newresult['server'] = _("%(host)s failed") % dict(host=host)
entries.append(newresult)
count += 1
if host != api.env.host:
other_ldap.close()
return dict(
result=entries,
count=count,
truncated=False,
summary=unicode(
_('Account disabled: %(disabled)s' % dict(disabled=disabled))),
)
def execute(self, *keys, **options):
ldap = self.obj.backend
dn = self.api.Object.user.get_either_dn(*keys, **options)
attr_list = ['krbloginfailedcount', 'krblastsuccessfulauth', 'krblastfailedauth', 'nsaccountlock']
disabled = False
masters = get_masters(ldap)
entries = []
count = 0
for host in masters:
if host == api.env.host:
other_ldap = self.obj.backend
else:
try:
other_ldap = LDAPClient(ldap_uri='ldap://%s' % host)
other_ldap.gssapi_bind()
except Exception as e:
logger.error("user_status: Connecting to %s failed with "
"%s", host, str(e))
newresult = {'dn': dn}
newresult['server'] = _("%(host)s failed: %(error)s") % dict(host=host, error=str(e))
entries.append(newresult)
count += 1
continue
try:
entry = other_ldap.get_entry(dn, attr_list)
newresult = {'dn': dn}
for attr in ['krblastsuccessfulauth', 'krblastfailedauth']:
newresult[attr] = entry.get(attr, [u'N/A'])
newresult['krbloginfailedcount'] = entry.get('krbloginfailedcount', u'0')
if not options.get('raw', False):
for attr in ['krblastsuccessfulauth', 'krblastfailedauth']:
try:
if newresult[attr][0] == u'N/A':
continue
newtime = time.strptime(newresult[attr][0], '%Y%m%d%H%M%SZ')
newresult[attr][0] = unicode(time.strftime('%Y-%m-%dT%H:%M:%SZ', newtime))
except Exception as e:
logger.debug("time conversion failed with %s",
str(e))
newresult['server'] = host
if options.get('raw', False):
time_format = '%Y%m%d%H%M%SZ'
else:
time_format = '%Y-%m-%dT%H:%M:%SZ'
newresult['now'] = unicode(strftime(time_format, gmtime()))
convert_nsaccountlock(entry)
if 'nsaccountlock' in entry:
disabled = entry['nsaccountlock']
self.api.Object.user.get_preserved_attribute(entry, options)
entries.append(newresult)
count += 1
except errors.NotFound:
raise self.api.Object.user.handle_not_found(*keys)
except Exception as e:
logger.error("user_status: Retrieving status for %s failed "
"with %s", dn, str(e))
newresult = {'dn': dn}
newresult['server'] = _("%(host)s failed") % dict(host=host)
entries.append(newresult)
count += 1
if host != api.env.host:
other_ldap.close()
return dict(result=entries,
count=count,
truncated=False,
summary=unicode(_('Account disabled: %(disabled)s' %
dict(disabled=disabled))),
)
